Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02ZjU4LWozMjMtNjQ3Ms4AA21F

pimcore/admin-ui-classic-bundle Unverified Password Change

Impact

As old password can be set as new password , it is considered as password policy violation.

Pimcore is not enforcing strict password policy which allow attacker to set old password as new password

Proof of Concept

  1. Go to Admin link
  2. login and click on -> "User | My Profile".
  3. Go to change password now put old password as new password and click save.

Patches

https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch

Workarounds

Update to version 1.2.0 or apply this patches manually
https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch

References

https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/

Permalink: https://github.com/advisories/GHSA-6f58-j323-6472
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02ZjU4LWozMjMtNjQ3Ms4AA21F
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago


CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-6f58-j323-6472, CVE-2023-5844
References: Repository: https://github.com/pimcore/admin-ui-classic-bundle
Blast Radius: 3.6

Affected Packages

packagist:pimcore/admin-ui-classic-bundle
Dependent packages: 21
Dependent repositories: 7
Downloads: 262,242 total
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0